Using Terraform to provision infrastructure on AWS Cloud > Infrastructure as Code > Networking

Networking

Overview

We will build infrastructure based on this architecture. A VPC with 2 Public Subnets. An Internet Gateway attached to the VPC. A Route Table helps route the EC2 in Public Subnets to communicate with the internet.

ConnectPrivate

Set up Files

In the Networking folder, create three files and name them respectively as main.tf, variables.tf, and outputs.tf.

ConnectPrivate

First, we will define the Availability Zones we use in the variables.tf file.

By default, we just use 2 AZs, which are ap-southeast-1a and ap-southeast-1b. Define input variable for VPC CIDR.

variable "availabitity_zones" {
  description = "AZs in this region to use"
  default = ["ap-southeast-1a", "ap-southeast-1b"]
}
variable "cidr_block" {
  
}

In the main.tf file, we just simply create some resources such as VPC, Public Subnets, Route Table, Security Group and Internet Gateway.

VPC

We will use resources aws_vpc to provide a VPC resource. You can read more about this resource at here.

resource "aws_vpc" "one-tier-vpc" {
  cidr_block            = var.cidr_block
  enable_dns_hostnames  = true
  enable_dns_support    = true
  tags = {
    Name = "vpc-workshop-2"
  }
}

2 Public Subnets

About Subnet, we use the resources aws_subnet to create 2 Public Subnets with CIDR 10.10.1.0/24 and 10.10.2.0/24.

resource "aws_subnet" "public_subnet_1" {
  vpc_id                    = aws_vpc.one-tier-vpc.id
  availability_zone         = var.availabitity_zones[0]
  cidr_block                = "10.10.1.0/24"
  map_public_ip_on_launch   = true
  tags = {
    "Name" = "Public Subnet 1"
  }
}

resource "aws_subnet" "public_subnet_2" {
  vpc_id                    = aws_vpc.one-tier-vpc.id
  availability_zone         = var.availabitity_zones[1]
  cidr_block                = "10.10.2.0/24"
  map_public_ip_on_launch   = true
  tags = {
    "Name" = "Public Subnet 2"
  }
}

Internet Gateway

Use resources aws_internet_gateway to attach the IGW to the VPC.

resource "aws_internet_gateway" "one_tier_igw" {
  vpc_id = aws_vpc.one-tier-vpc.id
  tags = {
    "Name" = "Workshop2 IGW"
  }
}

Route Table Public

We use resources aws_route_table to create a Public Route Table. We create a routing table entry by using aws_route, which routes the traffic inside the Public Subnet to the internet through the Internet Gateway.

Last, we need to associate the Public Route Table with 2 Public Subnets by using the resource aws_route_table_association

resource "aws_route_table" "public_rt" {
  vpc_id = aws_vpc.one-tier-vpc.id
  tags = {
    "Name" = "Public Route Table"
  }
}

resource "aws_route" "public_route" {
  route_table_id            = aws_route_table.public_rt.id
  destination_cidr_block    = "0.0.0.0/0"
  gateway_id                = aws_internet_gateway.one_tier_igw.id
}

resource "aws_route_table_association" "one_tier_rt_public_associate_1" {
  route_table_id    = aws_route_table.public_rt.id
  subnet_id         = aws_subnet.public_subnet_1.id
}

resource "aws_route_table_association" "one_tier_rt_public_associate_2" {
  route_table_id    = aws_route_table.public_rt.id
  subnet_id         = aws_subnet.public_subnet_2.id
}

Public Security Group

This data source will help us retrieve the local IP address of our machine.

You can read more about this at here.

data "http" "local_ip" {
  url = "https://ipv4.icanhazip.com"
}

We will define 2 inbound rules for Security Group.

The first rule is to allow SSH from your local machine. By using the data source, you can retrieve the IPv4 address of your local machine..
The second rule is to allow HTTP from the Application Load Balancer using port 80.

resource "aws_security_group" "one_tier_public_sg" {
  name          = "Public Security Group"
  description   = "Allow HTTP and SSH inbound traffic"
  vpc_id        = aws_vpc.one-tier-vpc.id
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = [ "${chomp(data.http.local_ip.response_body)}/32" ]
  }
  ingress {
    from_port       = 80
    to_port         = 80
    protocol        = "tcp"
    security_groups = [aws_security_group.one_tier_alb_sg.id]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = true
  }
}

ALB Security Group

The ALB security group allows users to pass through the Application Load Balancer from the internet before they can reach the Auto Scaling Groups.

resource "aws_security_group" "one_tier_alb_sg" {
  name      = "ALB Security Group"
  vpc_id    = aws_vpc.one-tier-vpc.id
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Output

After defining resources, we need to output some variables for other resources, like Compute, to use. We will do that in the outputs.tf file.

output "vpc_id" {
  value = aws_vpc.one-tier-vpc.id
}
output "public_subnet_1_id" {
  value = aws_subnet.public_subnet_1.id
}
output "public_subnet_2_id" {
  value = aws_subnet.public_subnet_2.id
}
output "public_sg_id" {
  value = aws_security_group.one_tier_public_sg.id
}
output "alb_sg_id" {
  value = aws_security_group.one_tier_alb_sg.id
}

You can see that we output some resources such as the ID of the VPC, the 2 Public Subnets, the Public SG and the ALB SG.

So, let’s move on to the Compute folder.